Fighting Mobile Fraud with Google Referrer API

Lior GoldinJul 20, 2018

The Google Play Referrer is a standard and highly reliable and accurate method to attribute conversions through Google Play (but not Android out of store). It enables the attribution provider to send attribution parameters to the store, which then passes them back to the source when the app is downloaded.

But as fraudsters are constantly on the lookout for new ways to game the system, they’ve found a loophole in the referrer method using a form of install hijacking.

Unlike bots or behavioral anomalies, install hijacking occurs when attribution of a real install from a real user is compromised or hijacked. In referral install hijacking, malicious code sends false “referral” data to the SDK of a measurement or attribution provider in an attempt to hijack credit for an app install.

The new Google Referrer API, developed in collaboration with our partners at Google, closes this gap by authenticating referrer data and actively blocking referrer injection.

“We know first hand how important accurate and authenticated referral data can be to developers,” said Marcus Leal, Product Manager at Google. “We built the Google Play Install Referrer API to not only help businesses make better product and marketing decisions through a better understanding how people discover their app, but to also protect them against fraud and abuse.”

How much fraud does Google Referrer API help catch?

We can see that there is quite a significant amount of fraud that aims to game attribution platforms by injecting a click after the download starts, particularly affecting campaigns in Asia.

Referrer Install Hijacking by country

Among categories, Finance is heavily impacted, followed by lifestyle-related apps. The impact on gaming is relatively marginal probably because of the lower CPI in this vertical which is less attractive to fraudsters, and because gaming app marketers, being savvier than others in most cases, often have stronger defense mechanisms in place.

Referrer Install Hijacking by category

Transparency, certainty and deeper, granular insight

Understanding what your users are doing between a click on the Google referrer link and installing your app is a) crucial to detect and block install hijacking, and b) helps you make informed product and marketing decisions.

This is why AppsFlyer delivers comprehensive referrer install hijacking reporting in the Protect360 dashboard and makes the new Play Store data available in raw data reports.

New Play store data includes:

The referrer string (URL) of the installed package

The timestamp, in seconds, informing when the referrer click happened

The timestamp, in seconds, informing when the install (download) process began

Why Google Referrer data matters:

Increased accuracy in detecting and blocking ad fraud.

Deeper, granular insights: You know exactly what kind of fraud was blocked and why

Deeper insights into the user journey: Whereas in the past, the only available data points were click time and install time, adding new data points offers more insights into the mobile customer journey.

Visibility into the referrer string means fraudsters can no longer simulate the referrer URL

Greater certainty beyond CTIT: Whereas standard install hijacking click to install time (CTIT) analysis typically looks for a significant volume of installs during the first 2-5 seconds after an install, some apps are slower to install than others. By analyzing the complete user journey — from click, through download, to first app open — you’ll be able to take informed decisions and customize your CTIT based on your users’ behavior

About Lior Goldin

As a Partner Development Manager, Lior manages AppsFlyer’s worldwide partnership with Google. Prior to joining AppsFlyer, Lior worked with leading marketers and agencies, bringing innovative marketing and advertising campaigns to life.